Credential is not supported if the CORS header ‘Access-Control-Allow-Origin’ is ‘*’
Solution 1
That happens if you are using withCredentials in your client side request. In that case you can modify the server side to check allowed referers and send the correct url in the Access-Control-Allow-Origin header. If you do not use credentials * is accepted.
Some more information can be found here: https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS/Errors/CORSNotSupportingCredentials
Solution 2
For everyone coming here searching for this issue:
I had an extension installed (CORS Unblock) which had overwritten the headers. Turning that off or uninstalling it removed the problem.
Admin
Updated on June 17, 2022Comments
-
Admin almost 2 years
My application do some REST request in a java web application. the requests are CORS requests so the browser do every time an OPTION preflight before the real one. Each request are similar to
Host: localhost:8080 User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:63.0) Gecko/20100101 Firefox/63.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: it-IT,it;q=0.8,en-US;q=0.5,en;q=0.3 Accept-Encoding: gzip, deflate Access-Control-Request-Method: GET Access-Control-Request-Headers: iv-groups,iv-user,x-xsrf-token Origin: http://localhost:4200 Connection: keep-alive Cache-Control: max-age=0
The java application response is:
HTTP/1.1 200 Set-Cookie: JSESSIONID=70A5ED7E8D32DCEE55991D3945994AB0; Path=/blablab; HttpOnly Set-Cookie: XSRF-TOKEN=35ad4230-b664-400c-84c0-7d06877bf05d; Path=/ Vary: Origin Vary: Access-Control-Request-Method Vary: Access-Control-Request-Headers Access-Control-Allow-Origin: http://localhost:4200 Access-Control-Allow-Methods: GET,POST,PUT,DELETE,HEAD,OPTIONS Access-Control-Allow-Headers: iv-groups, iv-user, x-xsrf-token Access-Control-Allow-Credentials: true Access-Control-Max-Age: 1800 Allow: GET, HEAD, POST, PUT, DELETE, TRACE, OPTIONS, PATCH X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: 0 X-Frame-Options: DENY Content-Length: 0 Date: Thu, 22 Nov 2018 08:31:18 GMT
For firefox this response is an CORS violation on the console it writes Credential is not supported if the CORS header
Access-Control-Allow-Origin
is*
.For google chrome the request is ok and the content is showed.
-
Admin over 5 yearsBut how you can see the server response contains in the header Access-Control-Allow-Origin: localhost:4200 and not Access-Control-Allow-Origin: * In google chrome always is ok but in firefox seems the problem is always there.
-
Matt over 3 yearsThe server response in the question shows
Access-Control-Allow-Origin: http://localhost:4200
-
user1544428 over 2 yearsYes. I couldn't log into twitter and I really doubted that no Firefox user could log into twitter. I'm working on code locally and I installed a CORs Unblock extension so I could get it to run locally. So, I wish the big browsers would implement more options for CORs, like a white list, or the ability to turn it off for localhost.